6IntroductionDuring the last four years the National Security Agency’s Systems and Network Attack Center(C4) has released Security Guides for operating systems, applications and systems thatoperate in the larger IT network. These security guides can be found at our web sitewww.nsa.gov/ Security Recommendation Guides. Many organizations across theDepartment of Defense have used these documents to develop new networks and to secureexisting IT infrastructures. This latest Security Guide addresses security a bit differently. Ourgoal is to make system owners and operators aware of fixes that become “force multipliers” inthe effort to secure their IT network.Security of the IT infrastructure is a complicated subject, usually addressed by experiencedsecurity professionals. However, as more and more commands become ``wired'', anincreasing number of people need to understand the fundamentals of security in a networkedworld. This Security Guide was written with the less experienced System Administrator andinformation systems manager in mind, to help them understand and deal with the risks theyface.Opportunistic attackers routinely exploit the security vulnerabilities addressed in thisdocument, because they are easily identified and rarely fixed. ISSMs, ISSOs and SystemAdministrators provide a level of risk management against the multitude of vulnerabilitiespresent across the IT infrastructure. The task is daunting when considering all of theirresponsibilities. Security scanners can help administrator identify thousands ofvulnerabilities, but their output can quickly overwhelm the IT team’s ability to effectively usethe information to protect the network. This Security Guide was written to help with thatproblem by focusing the experience our research and operational understanding of the DoDand other US Government IT infrastructures.This Security Guide should not be misconstrued as anything other than security “bestpractices” from the National Security Agency's Systems and Network Attack Center (C4). Wehope that the reader will gain a wider perspective on security in general, and betterunderstand how to reduce and manage network security risk.We welcome your comments and feedback. SNAC.Guides@nsa.gov

UNCLASSIFIEDUNCLASSIFIED

7

General GuidanceGeneral GuidanceGeneral GuidanceGeneral Guidance

The following section discusses general security advice that can be applied to any network.Security Policy(This section is an abstract of the security policy section of RFC 2196, Site SecurityHandbook. Refer to this RFC for further details.)A security policy is a formal statement of the rules that people who are given access to anorganization's technology and information assets must abide. The policy communicates thesecurity goals to all of the users, the administrators, and the managers. The goals will belargely determined by the following key tradeoffs: services offered versus security provided,ease of use versus security, and cost of security versus risk of loss.The main purpose of a security policy is to inform the users, the administrators and themanagers of their obligatory requirements for protecting technology and information assets.The policy should specify the mechanisms through which these requirements can be met.Another purpose is to provide a baseline from which to acquire, configure and audit computersystems and networks for compliance with the policy. In order for a security policy to beappropriate and effective, it needs to have the acceptance and support of all levels ofemployees within the organization.A good security policy must:

Be able to be implemented through system administration procedures, publishing ofacceptable use guidelines, or other appropriate methods

Be able to be enforced with security tools, where appropriate, and with sanctions, whereactual prevention is not technically feasible

Clearly define the areas of responsibility for the users, the administrators, and themanagers

Be communicated to all once it is established

Be flexible to the changing environment of a computer network since it is a livingdocumentOperating Systems and Applications: Versions and UpdatesAs much as possible, use the latest available and stable versions of the operating systemsand the applications on all of the following computers on the network: clients, servers,switches, routers, firewalls and intrusion detection systems. Keep the operating systems andthe applications current by installing the latest updates (e.g., patches, service packs,hotfixes), especially updates that correct vulnerabilities that could allow an attacker toexecute code. Note that some updates may not be applied to the computer until a rebootoccurs. The following applications should be given particular attention because they havebeen frequently targeted (e.g., by CodeRed, Melissa virus, Nimda): IIS, Outlook, InternetExplorer, BIND and Sendmail.UNCLASSIFIEDUNCLASSIFIED

8

Know Your NetworkDeveloping and maintaining a list of all hardware devices and installed software is importantto the security of the IT infrastructure. Understanding software applications that are installedby default is also important (e.g., IIS is installed by default by SMS and SQL Server onWindows platforms). A quick method for taking inventory of services running on the networkis to port scan.TCP/UDP Servers and Services on the NetworkScan the network for all active TCP/UDP servers and services on each computer in thenetwork. Shut down unnecessary servers and services. For those servers that arenecessary, restrict access to only those computers that need it. Turning off functional areas,which are seldom used but have vulnerabilities, prevents an attacker from being able to takeadvantage of them. Other applications install with sample CGI scripts, which sometimescontain problems. As a general rule do not install sample applications in production systems.PasswordsPoor password selection is frequently a major problem for any system's security. Usersshould be forced to change their passwords regularly. Set up password aging via AccountPolicy for Windows systems or the /etc/default/passwd file in UNIX. Administratorsshould obtain and run password-guessing programs (i.e., “John the Ripper,'’ “L0phtCrack,”and “Crack”) frequently to identify those users having easily guessed passwords. Becausepassword cracking programs are very CPU intensive and can slow down the system onwhich it is running, it is a good idea to transfer the encrypted passwords (the dumped SAMdatabase for Windows and the /etc/passwd and /etc/shadow files in UNIX) to a stand-alone (not networked) system. Also, by doing the work on a non-networked machine, anyresults found will not be accessible by anyone unless they have physical access to thatsystem.Passwords should:

Be 12 or more characters in length on Windows systems, 8 characters in length on UNIX

Include upper and lower case letters, numbers, and special characters

Not consist of dictionary words

Be changed regularly (every 30 to 90 days)

For UNIX, be encrypted and stored in the /etc/shadow file (for some UNIX systems) withpermissions set to 400 with ownership by root and group sys. The /etc/passwd fileshould have permissions 644 with owner root and group root.

Be cracked every month to find users choosing easily guessed or cracked passwordsFor UNIX, lock the following accounts by placing a *LK* in encrypted password field in/etc/shadow: adm, bin, daemon, listen, lp, nobody, noaccess, nuucp, smtp, sys, uucp. Theseaccounts should not have login shells, rather they should be set to /dev/null.

UNCLASSIFIEDUNCLASSIFIED

9Do Not Run Code From Non-Trusted SourcesFor the most part, software applications run in the security context of the person executingthem without any consideration to source. A PKI infrastructure may help, but when notavailable remember that spoofing the “From” line of an e-mail message and disguising URLsare trivial. DO NOT OPEN E-MAIL ATTACHMENTS OR RUN PROGRAMS UNLESS THESOURCE AND INTENT ARE CONFIRMED AND TRUSTED. Always run Outlook so that itexecutes in the restricted zone and disable all scripting and active content for that zone. Formore specific details, reference “E-mail Client Security in the Wake of Recent Malicious CodeIncidents” available at http://www.nsa.gov.Block Certain E-Mail Attachment TypesThere are numerous kinds of executable file attachments that many organizations do notneed to routinely distribute via e-mail. If possible, block these at the perimeter as acountermeasure against the malicious code threat. Organizations using Outlook can alsoblock them using Outlook 2002 or, for earlier versions of Outlook, using the appropriatesecurity patches.The specific file types that can be blocked are:

It may be prudent to add, or delete files from this list depending upon operational realities.For example, it may be practical to block applications within the Microsoft Office family, all ofwhich can contain an executable component. Most notable are Microsoft Access files, whichunlike other members of the Office family have no intrinsic protection against maliciousmacros.

Follow The Concept Of Least PrivilegeLeast privilege is a basic tenet of computer security that means users should be given onlythose rights required to do their job. Malicious code runs in the security context of the userlaunching the code. The more privileges the user has, the more damage the code can do.Recommendations pertaining to the least privilege principle include:

Keep the number of administrative accounts to a minimum

Administrators should use a regular account as much as possible instead of loggingin as administrator or root to perform routine activities such as reading mail

Set resource permissions properly. Tighten the permissions on tools that an attackermight use once he has gained a foothold on the system, e.g., explorer.exe,regedit.exe,poledit.exe,taskman.exe,at.exe,cacls.exe,cmd.exe,finger.exe,ftp.exe,nbstat.exe,net.exe,net1.exe,netsh.exe,rcp.exe,regedt32.exe,regini.exe,regsvr32.exe,rexec.exe,rsh.exe,runas.exe,runonce.exe,svrmgr.exe,sysedit.exe,telnet.exe,tftp.exe,tracert.exe,usrmgr.exe,UNCLASSIFIEDUNCLASSIFIED

10wscript.exe, and xcopy.exe. Unix tools or utilities that should be restricted aredebuggers, compilers, and scripting languages such as gcc,perl, etc.

The least privilege concept also applies to server applications. Where possible, runservices and applications under a non-privileged account.Application AuditingMost server-level applications have extensive auditing capabilities. Auditing can be of valuein tracking down suspected or actual intrusions. Enable auditing for server applications andaudit access to key files (such as those listed above) that an attacker might use once he hasgained a foothold on a compromised server.Network PrinterToday’s network printers contain built-in FTP, WEB, and Telnet services as part of their OS.Enabled network printers can be readily exploited and are often overlooked by systemadministrators as a security threat. These network printers can and are often exploited asFTP bound servers, Telnet jump-off platforms, or exploited by web management services.Change the default password to a complex password. Explicitly block the printer ports at theboundary router/firewall and disable these services if not needed.

Simple Network Management Protocol (SNMP)SNMP is widely used by network administrators to monitor and administer all types ofcomputers (e.g., routers, switches, printers). SNMP uses an unencrypted "community string"as its only authentication mechanism. Attackers can use this vulnerability in SNMP topossibly gather information from, reconfigure or shut down a computer remotely. If an attackcan collect SNMP traffic on a network, then he can learn a great deal about the structure ofthe network as well as the systems and devices attached to it.

Disable all SNMP servers on any computer where it is not necessary. However, if SNMP is arequirement, then consider the following. Allow read-only access and not read-write accessvia SNMP. Do not use standard community strings (e.g., public, private). If possible, onlyallow a small set of computers access to the SNMP server on the computer.

Network Security TestingTest regularly the security of all of the following computers on the network: clients, servers,switches, routers, firewalls and intrusion detection systems. Also, do this after any majorconfiguration changes on the network.

Shut down unneeded TCP/UDP servers (e.g., bootps, finger) on the router or thefirewall. Servers that are not running cannot break. Also, more memory andprocessor slots are available with less servers running.

For TCP/UDP servers on the router or the firewall that are necessary, make sure thataccess to them is limited only to the administrators.

Disable any unused interface on the router or the firewall. Protect each and everyactive interface on the router or the firewall from information gathering and attacks.

Protect each and every management port on the router or the firewall from attacks.Disable any unused management port.

Configure durable passwords on the router or the firewall. For each password usethe following guidelines: be at least eight characters long, not be words, not beginwith a number, and include at least one character from the sets of letters, numbersand all other characters (e.g., ,./<>;’:”[]\{}|~!@#$%^&*()_+`-= ). Consider usingdifferent passwords for each router and each firewall. Change passwords at leastonce every 90 days.

Theshow processescommand can help to show active information about the servers onthe router. The following commands show how to disable the following servers:TCP/UDP small servers (echo, discard, daytime, chargen), bootps, finger, http, identdand snmp.Router(config)#no service tcp-small-serversRouter(config)#no service udp-small-serversRouter(config)#no ip bootp serverRouter(config)#no service fingerRouter(config)#no ip http serverRouter(config)#no ip identdRouter(config)#no snmp-server community <community string>

If SNMP on the router is required, use the following commands to clear out any SNMPservers with default community strings.Router(config)#no snmp-server community publicUNCLASSIFIEDUNCLASSIFIED

12Router(config)#no snmp-server community private

Then set up the SNMP server with a community string that is difficult to guess. Also, ifpossible, allow only read-only access to the server; do not allow read-write access to theserver. Apply an access-list to the server. Refer to the following section on TCP/IPFilters for discussion of an access-list for SNMP in more detail. The following commandis an example.Router(config)#snmp-server community S3cr3t-str1n9 ro 10

The following command disables a router interface.Router(config-if)#shutdown

Secure each and every active interface on the router from Smurf attacks, ad-hoc routingand access-list queries with the following commands.Router(config-if)#no ip directed-broadcastRouter(config-if)#no ip proxy-arpRouter(config-if)#no ip unreachables

Configure the console line () and the virtual terminal lines () on the router to time out asession, to require a password at login and to allow only telnet traffic. If the auxiliary line() is not needed, then it should be disabled. Use the following line configurationcommands to configure the lines.Router(config)#line con 0Router(config-line)#exec-timeout 5 0Router(config-line)#loginRouter(config-line)#transport input telnetRouter(config)#line aux 0Router(config-line)#no execRouter(config-line)#exec-timeout 0 5Router(config-line)#no loginRouter(config-line)#transport input noneRouter(config)#line vty 0 4UNCLASSIFIEDUNCLASSIFIED

Configure the Enable Secret password, which is protected with an MD5-based algorithm.The following global configuration command is an example.Router(config)#enable secret 0 2manyRt3s

Configure passwords for the console line, the auxiliary line and the virtual terminal lines.Use a different password for the console line and the auxiliary line versus the virtualterminal lines. The following line configuration commands are examples.Router(config)#line con 0Router(config-line)#password Soda-4-jimmYRouter(config)#line aux 0Router(config-line)#password Popcorn-4-saraRouter(config)#line vty 0 4Router(config-line)#password Dots-4-georg3

Provide a basic protection for the line passwords by using the following globalconfiguration command.Router(config)#service password-encryption

TCP/IP FiltersCarefully consider which TCP/IP services will be allowed through and to the perimeter routersand firewalls (inbound and outbound). Use the following guidelines for creating filters: thoseservices that are not explicitly permitted are prohibited. The following tables present commonservices to restrict because they can be used to gather information about the protectednetwork or they have weaknesses that can be exploited against the protected network.

Table 1 lists those TCP or UDP servers that should be completely blocked at theperimeter router or firewall. These services should not be allowed across the router orthe firewall in either direction. Also, they should not be allowed to the router or thefirewall.

Table 2 lists those TCP or UDP servers on the protected network, on the router or on thefirewall that should not be accessible by external clients.

Table 3 lists the common TCP or UDP servers on the protected network, on the router oron the firewall that may need some access by internal or external clients and servers.Many of these services can be filtered to the few authorized computers (e.g., ftp server,mail server, domain name server, web server) on the protected network or on the DMZsubnet.

Table 4 lists the ICMP message types that can be allowed outbound from the protectednetwork, while all other message types should be blocked.UNCLASSIFIEDUNCLASSIFIED

14

Table 5 lists the ICMP message types that can be allowed inbound to the protectednetwork, while all other message types should be blocked.In general, the administrator should create filters focusing on what services and hosts arepermitted and denying everything else. This method means that one may not need to blockeach service in the tables below with a specific filter statement. Finally, use an intrusiondetection system on the protected network to monitor the TCP/IP traffic that is allowed pastthe perimeter routers and firewalls.UNCLASSIFIEDUNCLASSIFIED

15Table 1:TCP or UDP Servers to Completely Block at the Perimeter Router/Firewall

17This section describes methods using filters to defend the router, the firewall and theprotected network from information gathering and attacks. Note that one needs to be carefulwith combining the below recommendations together in any filter in order to preventcontradictions or other problems.

When creating a TCP/IP filter always delete any previous filter.

Set logging for each statement in the filter that blocks access. This feature willprovide valuable information about what types of packets are being denied and canbe used in intrusion detection against one’s network. Refer to the following sectionon Logging and Debugging for discussion of logging configuration in more detail.

Protect the router or the firewall from the Land Attack. This attack involves sending apacket to the router with the same IP address in the source address and destinationaddress fields and with the same port number in the source port and destination portfields. This attack can cause a denial of service.

Protect the router or the firewall from the TCP SYN Attack. The TCP SYN Attackinvolves transmitting a volume of connections that cannot be completed at thedestination. This attack causes the connection queues on the router or the firewall tofill up, thereby denying service to legitimate TCP traffic.

Protect the router, the firewall or the protected network from unnecessary ICMPtraffic. There are a variety of ICMP message types, and some are associated withprograms. Some message types are used for network management and areautomatically generated and interpreted by network devices. For example, the pingprogram works with message type Echo. With Echo packets an attacker can createa map of the protected networks behind the router or the firewall. Also, he canperform a denial of service attack by flooding the router, the firewall or the hosts onthe protected network with Echo packets. With Redirect packets the attacker cancause changes to a host’s routing tables.For outbound ICMP traffic, one should allow the message types Echo, ParameterProblem and Source Quench. Otherwise, block all other ICMP message types goingoutbound. With Echo packets users will be able to ping external hosts. ParameterProblem packets and Source Quench packets improve connections by informingabout problems with packet headers and by slowing down traffic when it isnecessary. For inbound ICMP traffic, one should allow the following message types:Echo Reply, Destination Unreachable, Source Quench, Time Exceeded andParameter Problem. Otherwise, block all other ICMP message types cominginbound.

Protect the router, the firewall or the protected network from inbound traceroute.Traceroute is a utility that prints the IP addresses of the routers that handle a packetas the packet hops along the network from source to destination. On Unix operatingsystems traceroute uses UDP packets and causes routers along the path to generateICMP message types Time Exceeded and Unreachable. Similar to ICMP EchoUNCLASSIFIEDUNCLASSIFIED

18packets, an attacker can use traceroute to create a map of the protected networkbehind the router or the firewall.

Apply a filter to the router or the firewall to allow only a small set of computers (e.g.,those used by the administrators) Telnet access to the router or the firewall. Log allsuccessful and unsuccessful connections.

If an SNMP server is necessary on the router or the firewall, then apply a filter to therouter or the firewall to allow only a small set of computers (e.g., those used by theadministrators) SNMP access to the router or the firewall. Log all successful andunsuccessful connections.Example: Cisco IOS RoutersThe following scenario steps through the recommendations listed above.

The following commands show an example of how to clear out a previous version of anaccess-list before creating a new access-list.Router(config)#no access-list 100Router(config)#access-list 100 permit ip 10.2.9.0 0.0.0.255 anyRouter(config)#access-list 100 permit ip 10.55.1.0 0.0.0.255 any

The following commands show an example of how to set logging on an extended IPaccess-list statement.Router(config)#access-list 102 permit tcp 10.4.6.0 0.0.0.255 any eq 80Router(config)#access-list 102 deny ip any any log

Note that there is an implicitdenystatement at the end of every access list on a Ciscorouter. This implicit statement blocks all other packets not permitted by the rest of theaccess-list. However, it does not log these packets. Thus, add the following statementsat the end of each extended IP access-list. These statements will guarantee that therouter will log the values for the source and destination ports for TCP and UDP trafficbeing denied.Router(config)#access-list 106 deny udp any range 0 65535 any range 065535 logRouter(config)#access-list 106 deny tcp any range 0 65535 any range 065535 logRouter(config)#access-list 106 deny ip any any log

Protect the router against the TCP SYN Attack for the following two scenarios: blockingexternal access and limited external access. Below is an example for blocking externalaccess on a Cisco router. The access list blocks packets from any external network thathave only the SYN flag set. Thus, it allows traffic from TCP connections that wereestablished from the protected network (e.g., 14.2.6.0), and it denies anyone coming fromany external network from starting any TCP connection.Router(config)# access-list 100 permit tcp any 14.2.6.0 0.0.0.255 establishedRouter(config)# access-list 100 deny ip any any logRouter(config)# interface serial0/0Router(config-if)# description"external interface"Router(config-if)# ip access-group 100 in

UNCLASSIFIEDUNCLASSIFIED

20Below is an example for allowing limited external access on a Cisco router. Using theTCP intercept feature, the access list blocks packets from unreachable hosts; thus, it onlyallows reachable external hosts to initiate connections to a host on the protected network(e.g., 14.2.6.0). In intercept mode the router intercepts a TCP connection anddetermines if a host is reachable. If successful, the router establishes the connection;otherwise, it prevents the connection. This protection does not stop reachable hosts fromperforming this attack against the router or the protected networks.

The following command shows how to block inbound traceroute from a Unix computer.Router(config)#access-list 111 deny udp any any range 33434 33534 log

UNCLASSIFIEDUNCLASSIFIED

21

The following commands show how to allow Telnet access from certain computers on theprotected network (e.g., 14.4.4.0) to the router via an extended IP access-list. Theadministrator can telnet to any interface IP address on the router. However, the routerconverts any interface IP address to 0.0.0.0. Thus, the unusual destination IP address0.0.0.0 must be used in the access-list.

Logging on a router or a firewall offers several benefits. It informs the administrator if therouter or the firewall is working properly or has been compromised. It can also show whattypes of attacks are being attempted against the router, the firewall or the protected network.

The following are recommendations for logging and debugging:

Send the most serious level of logs to the console on the router or the firewall inorder to alert the administrator.

Send the logs to a log host, which should be a dedicated computer on the protectednetwork whose only job is to receive logs. The log host should have all unnecessaryservers and accounts disabled except for syslog.

Configure the router or the firewall to include more specific time information in thelogging and in the debugging. Direct the router or the firewall to at least two different,reliable network time protocol (NTP) servers to ensure accuracy and availability oftime information. Set all NTP messages with the same IP source address of aninterface on the internal network. This configuration will allow the administrator tocreate a TCP/IP filter that allows time information only from the internal IP address ofthe router or the firewall to the external NTP servers. This filter will help to preventspoofing or flooding NTP messages to the router or the firewall. Include a morespecific timestamp in each log message and each debug message. This will allow anadministrator to trace network attacks more credibly.UNCLASSIFIEDUNCLASSIFIED

22

By default, a log message contains the IP address of the interface it uses to leave therouter or the firewall. Instead, set all log messages with the same IP source addressof an interface on the internal network, regardless of which interface the messagesuse. This configuration will allow the administrator to create a TCP/IP filter thatallows logs only from the internal IP address of the router or the firewall to the logginghost. This filter will help to prevent spoofing or flooding log messages to the logginghost.

Finally, consider also sending the logs to a dedicated printer to deal with worst-casescenarios, e.g., failure of the log host.

Set the syslog level to be sent to the router console. The following command is anexample.Router(config)#logging console informational

Note that the effect of thelogkeyword with the IP extended access-list statementsdepends on the setting of thelogging consolecommand. Thelogkeyword takes effectonly if thelogging consolesyslog level is set to 6 (informational) or 7 (debugging). Ifthe level is changed to a value less than 6 and if thelogkeyword is used within an IPextended access-list command, then no information is logged to the log host or displayedto the console. Refer to the previous section on TCP/IP Filters for discussion of access-lists in more detail. Finally, disable logging to all terminal lines except for the routerconsole with the following command.Router(config)# no logging monitor

Set the IP address of the log host. Set the syslog level to be sent to the log host. Setthe syslog facility type in which log messages are sent. The following commands areexamples.Router(config)#logging 10.1.1.200Router(config)#logging trap debuggingRouter(config)#logging facility local7

The following commands show an example of how to set time information for the loggingand for the debugging.Router(config)#ntp server 192.168.41.40Router(config)#ntp server 192.168.41.41Router(config)#ntp source Ethernet0/1UNCLASSIFIEDUNCLASSIFIED

The following command shows an example of how to set all log messages with the sameIP source address of a router interface.Router(config)#logging source-interface e0/1

General RecommendationsIt is highly recommended that the configuration files for the router or the firewall be created,stored and maintained on a computer offline in ASCII format. These files will contain anycomments that can help give perspective to the configuration settings and the filters. Also,changes to the filters can be done with much more ease and accuracy. Then the file can betransferred from the computer to the router or the firewall. This is invaluable for diagnosingsuspected attacks and recovering from them. Finally, protect the contents of theconfiguration files from unauthorized individuals.

UNCLASSIFIEDUNCLASSIFIED

24Windows NT 4.0 and Windows 2000Service Packs And HotfixesA service pack is a periodic update to the operating system that contains fixes tovulnerabilities and bugs. To date, Microsoft has released six service packs for Windows NT4.0 and two service packs for Windows 2000. Updates addressing specific vulnerabilities andbugs introduced between Service Packs are called hotfixes. Service packs are cumulative,meaning they include all hotfixes from previous service packs, as well as new fixes.In addition to installing the latest service packs, it is important to install new hotfixes, as thesepatches will often address current attacks that are proliferating throughout networks. AlthoughMicrosoft recommends applying a hotfix only if a system experiences the specific problem, itis recommended that all security-related hotfixes be installed immediately after installation ofthe latest service pack. If a service pack is reapplied at any time, the hotfixes must also bere-installed.

Checking System Patch StatusA major challenge for network administrators is keeping up to date on the latest patches.Microsoft now provides a Network Security Hotfix Checker (Hfnetchk.exe) tool that letsadministrators scan their servers -- including remote ones -- to ensure that that they are up todate on all security patches for Windows NT 4.0, Windows 2000, IIS 4.0, IIS 5.0, IE and SQLServer.Detailed informationon Hfnetchk, including download location, is available inKnowledge Base article Q303215at

Windows NT 4.0 PatchesTo achieve the highest level of Windows NT security, install Service Pack 6a and the postService Pack 6a hotfixes. For a complete list of available service packs and hotfixes go tohttp://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/.Microsoft has provided the Security Rollup Package (SRP) as a mechanism for managing therollout of security related fixes. The SRP includes the functionality from many securitypatches released for Windows NT 4.0 since the release of Service Pack 6a. The SRPincludes post-Service Pack 6a fixes that were delivered via Microsoft security bulletins as wellas a small number of fixes that were not addressed through this forum. For a complete listingof all fixes in the SRP, refer to Microsoft Knowledge Base Article (Q299444), “Post-WindowsNT 4.0 Service Pack 6a Security Rollup Package (SRP),” athttp://support.microsoft.com/support/kb/articles/q299/4/44.asp.

Fixes not included in the SRP:

Fixes for newer vulnerabilities may not be included in the SRP. These must be appliedseparately and may be downloaded fromhttp://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/. In addition, thefollowing vulnerability affecting Windows NT 4.0 systems is not included in the SRP.

UNCLASSIFIEDUNCLASSIFIED

25Enhanced Security Level Hotfix - When changing the domain password with the C2security registry entry enabled a “Stop 0x1E” error message may occur. The problem occursif the administrator has Service Pack 6a (SP6a) installed and the following registry entry isset:Hive: HKEY_LOCAL_MACHINEKey: SYSTEM\CurrentControlSet\Control\Session ManagerValue: EnhancedSecurityLevelType: REG_DWORDData: 1This key ensures that Object Manager can change the attributes of a kernel object in theObject table for the current process if the previous mode of the caller is kernel mode. Whenattempting to change the password after setting this registry value, the following errormessage will be received: Stop 0x0000001e (0xc0000005, 0x8019bb12, 0x00000000,0x0000022c)A supported fix that corrects this problem is now available from Microsoft, but it is notavailable for public download. To resolve this problem immediately, contact Microsoft ProductSupport Services to obtain the fix. This hotfix is also available from NSA. For a complete listof Microsoft Product Support Services phone numbers and information on support costs,please go to the following address on the World Wide Web:http://support.microsoft.com/directory/overview.asp

Windows 2000 PatchesTo achieve the highest level of Windows 2000 security, install Service Pack 2and the postService Pack 2 hotfixes. For a complete list of available service packs and hotfixes, refer tohttp://www.microsoft.com/windows2000/downloads/default.asp

List Of NT/Windows 2000 Security MeasuresThis list of NT/Windows 2000 security measures is by no means exhaustive. There areapproximately 400 known vulnerabilities with Windows NT/2000 and associated applications.This list addresses less than 10 percent of those vulnerabilities. It should also be understoodthat alleviating one's network of these vulnerabilities does not render the network "secure".

Ensure that the file system is NTFS versus FAT. NTFS allows file access control tobe set; FAT does not.

Limit the information available from a null connection. Null connections (anonymoususers) are included in the built-in Everyone security group; thus, anonymous usershave access to any resources that the Everyone group has access to. Windows NTService Pack 6a limits much of what an anonymous user can do. Preventanonymous users from being able to enumerate account names and shares bysetting the following registry key:Hive: HKEY_LOCAL_MACHINEKey: System\CurrentControlSet\Control\LsaName: RestrictAnonymousType: REG_DWORDValue: 1

Remove the Everyone group from the “Access this Computer from the Network” userright. Replace it with the Authenticated Users group. In Windows NT 4.0, this can beUNCLASSIFIEDUNCLASSIFIED

Do not allow remote registry access. There are many registry keys that allow theEveryone group, and therefore anonymous users, read and/or set value permissions.If an unauthorized user was able to remotely edit the registry, he could modifyregistry keys in an attempt to gain elevated privileges. Restricting remote registryaccess is accomplished by setting security permissions on theHKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key. It ishighly recommended that only Administrators and System have remote access to theregistry.

Ensure that the Guest Account is disabled. Ensure that all accounts (service anduser) have passwords regardless if the account is enabled or disabled.

Disable LanMan authentication. LanMan passwords are used for backwardscompatibility with older Windows operating systems (e.g., Windows 9x) and aresimply the NT/2000 password converted to all uppercase and encrypted in a differentway. LanMan passwords are easier to crack than NTLM hash because they aretreated as two 7-character passwords. It is recommended that LanMan passwordsbe disabled. If Windows 9x boxes reside on the network, Directory Client Services(available on the Windows 2000 CD) must be installed on these systems in order toallow NTLM version 2 authentications. To disable LanMan authentication, set thefollowing registry key:Hive: HKEY_LOCAL_MACHINEKey: System\CurrentControlSet\Control\LsaName: LMCompatibilityLevelType: REG_DWORDValue: 5

Close ports 135, 137, 138, and 139 either at the premise router or firewall. Fornetworks containing Windows 2000 systems, also block port 445. These ports areneeded in an internal network, but not externally. Blocking these ports will stop manyattacks against Windows NT and Windows 2000. Also, remove unneeded protocols(e.g. NetBeui, IPX).

Out-of-the-box permissions on Windows NT system files and registry keys are overlypermissive. Replace the Everyone group with the Authenticated Users group oncritical system folders and files (e.g. WINNT, system32) and registry keys (e.g.,HKLM\Software\Microsoft\Windows\Run and HKLM\Software\Microsoft\WindowsNT\CurrentVersion\AEDebug).

Restrict permissions on network shares. When a share is created, the default accesscontrol is Everyone having Full Control. Restrict the share permissions to only thosegroups that need access.

Remove all services that are not required (e.g., Telnet, FTP, Web). Ensure properplacement of services on the network (e.g. RAS or Web service should not be on aDomain Controller).

Enable auditing. At a minimum, audit logons and logoffs, failed attempts at exercisinguser privileges, and system events such as shutdowns.

Microsoft ApplicationsVulnerabilities in applications such as Outlook, Microsoft Exchange, SQL Server, and IIS mayopen a network to attack. Therefore, it is important that applications be kept current with thelatest patches and service packs. Microsoft provides several tools for improving applicationsecurity. Some of these tools are listed below, along with a web reference to follow for moreinformation.URL Scan Security Tool – Allows web server administrators to restrict servers to ensurethat they only respond to legitimate requests.http://www.microsoft.com/technet/security/URLScan.asp

Improved Outlook E-mail Security Update - A new version of the Outlook E-mail SecurityUpdateis available that provides protection against additional types of e-mail-based attacks.http://office.microsoft.com/downloads/2000/Out2ksec.aspx

Microsoft Personal Security Advisor - A Microsoft tool for checking that workstations arecurrent with all security patches and configured for secure operation.http://www.microsoft.com/technet/security/tools/mpsa.asp

Microsoft Web ServicesThis section describes security configuration for Microsoft web servers, using IIS as the example. It isassumed that IIS has been installed from the distribution (preferably as a standalone system) and thatnone of the security parameters has been modified that come default in the original setup. This list is byno means a complete security guide (refer to http://nsa1.www.conxion.com/win2k/guides/w2k-14.pdfforthe full IIS security guide).Guidance:1. Ensure that the computer that runs the web server is dedicated. It should not have otheruses, e.g., being a client workstation or print server.2. Ensure that the server is kept up-to-date on OS and web server related patches (as noted onpage 3).3. Do not perform development work on the operational web server. All data should be in finalform and simply copied into place. Create a secondary mirror of the server for alldevelopment services and experimentation. Transfer data to the web server by tape, disk, orCD. Do not use FTP or telnet to for data transfer.4. Remove/Disable all unnecessary services on the web server (as noted on page 4).UNCLASSIFIEDUNCLASSIFIED

285. Isolate the web server physically and virtually. If possible allow local access to the webserver to the fewest number of people with a minimal number of users. Keep the web serverclose to the administrator, the web engineer, or the webmaster. Keep the web server on aLAN segment separate from the rest of the IT infrastructure. Do not mount or share servicesto and from the server.6. Remove all unnecessary ISAPI script mappings from the Master properties and propagate toall web servers. This will help prevent any potential vulnerability in those .dll files, such asbuffer overflows, from affecting the security of your web server.7. Separate content and place in proper directories (e.g. static files, scripts and executables)8. Use NTFS permissions along with user groups to set the appropriate ACL’s on the content,script, publishing and all other directories on the web server. This will prevent users fromaccessing areas and content that they should not have access to. E.g. create a specialWebUsers group for the IUSR account and remove IUSR from the Everyone group.9. Set proper IIS permissions on web sites, virtual directories, and files. Permissions set hereneed to match NTFS permissions. If they do not match, the most restrictive of the two will beenforced. Read for static content, scripts only for script content and do not enable thedirectory browsing option.10. Enable OS level auditing as noted on page 4, enable logging on the actual web sites, andenable auditing on problematic system binaries (many are listed on page 4).11. Set ACL’s using NTFS file permissions on at least the binary files listed on page 4, severaldirectories to include at a minimum are; C:\, C:\Winnt, C:\Winnt\system; C:\Winnt\system32,C:\Winnt\repair, C:\Winnt\system32, C:\Winnt\system32\os2 and C:\Winnt\system32\inetsrv.Doing so will help to prevent a malicious user from access or executing files that will enablethem to elevate their privileges, cause greater system damage or access sensitiveinformation.12. Enable IPSEC filtering to block all protocols and services (ports) other than those required forthe web server to function (e.g. TCP port 80). This will minimize the malicious users ability toattack vulnerable services and will add a layer of protection in case other security measuresfail.13. Remove all samples installed by the web server. Often these samples contain scripts thatcan be accessed and will reveal additional system/user information to a malicious user.14. Use the Security Configuration and Analysis MMC snap-in along with the HISECWEB.infpolicy or other similar policy. This will enable the administrator to make many of theappropriate settings in one place, which can be implemented quickly on several machines. Italso helps to eliminate the human error factor when it is setup correctly the first time. TheHISECWEB.inf policy requires some initial customization, but provides a good basis forlocking down many web servers functions.

UNCLASSIFIEDUNCLASSIFIED

29

UNIX Systems and NetworksThe following recommendations can be implemented to improve the security of UNIXsystems and networks.Startup and Login ScriptsCheck the permissions and ownership of files accessed or executed upon system startup anduser login. If these files allow world-access, browse scripts to see if any unusual process orscript is started, especially if in user directories. System files and directories should be ownedby root/root or root/sys without world write or execute permissions so that they cannot bemodified or exploited by unauthorized users.User startup files should be owned by the individual user and should not allow world access.In each user's directory, check for Trojan commands or entries in hidden files (e.g. .login,.profile, .netrc, .forward) as well as files that have extensions such as .old or .backup orbegin with ".." and "...".Services and PortsRun a port scanner, such as nmap (available at http://www.insecure.org/nmap) to list openports and services. In addition, run netstat –a to view the status of all socket and routing tableentries. Many UNIX services have well known security vulnerabilities associated with themwhich allow root access. All unnecessary services (e.g., rexd, rquotad, talk, sadmind, kcmsd,rstatd, fs, exec, daytime, walld, fingerd, systat, rusersd, sprayd, uucpd, chargen, time, echo,display, tftp, comsat and discard) should be disabled so they do not start at boot time. Inaddition, these ports should be blocked at the perimeter router or firewall.System Trust

There are various ways for UNIX systems to allow access to a machine or an account withoutproviding a password. Through the use of .rhosts, .forward, .netrc, hosts.lpd, and hosts.equivfiles, it is possible for a user on one system to access or utilize another system withoutproviding authentication. This practice should be reviewed for necessity. An intruderbreaking into an authorized user's account can use that same trust to reach multiplemachines with little effort. Do not use plus signs (+) in these files as they allow global access(to users and/or machines). Prohibit root from logging directly into a remote system throughproper configuration in files such as /etc/ttys, /etc/ttytab, /etc/securetty and /etc/default/login.Network CommunicationNetwork communications programs like telnet, ftp, and the "r commands" (rlogin, rcp, rsh andrexec) may transmit the username and password across the network in the clear making iteasy for a sniffer to capture this information. Some administrators feel that the use of trustrelationships that allow a user to access a remote system without supplying a password viarlogin and rsh, eliminate the risk of password sniffing. However, if an attacker gains control ofany machine in such a trusted network, access can be gained to all other machines that trustthe hacked machine. If these remote services are not required, they should be disabled. Ifsimilar functionality is still required, ssh (available at http://www.openssh.com) should beinstalled to provide the necessary connectivity while encrypting all session-traffic (includingthe password) to reduce the threat of password sniffing and TCP session hijacking.UNCLASSIFIEDUNCLASSIFIED

30Network ConfigurationsEnsure that network configuration files (such as /etc/hosts, /etc/defaultdomain,/etc/defaultrouter, and /etc/netmasks) are owned by root/root and have permissions of 644. .PatchesEnsure that recommended and system security patches are installed and are up to date andthat each system is rebooted after patch installation.User AccountsReview all user accounts. Configure each account to have a unique user ID number. Checkto make sure each shell field is set to a valid shell to prevent malicious code from beingexecuted and granting root access. Delete unneeded default system accounts (like nobody4,uucp). Make sure every line in /etc/passwd is properly formatted. Always make sure eachuser has a strong, valid password. Set permissions for home directories to 750.For accountability purposes, system administrators should not directly log in as root, butrather as themselves and then switch user (su) to root. An administrative group (e.g. wheel)should be created in the /etc/group file and each administrative user should belong to thatgroup. Once the administrative group has been created, the "su" program should have itsownership, group, and permissions changed (root/wheel, 4750) so that only authorized usershave access to the "su" program.PermissionsLook for setuid or setgid files and programs. Disable unnecessary setuid/setgid programs bydeleting the suid and/or sgid bits with the chmod command. Look for world-writabledirectories and files and eliminate world access if not needed. This prevents unauthorizedaccess or the insertion of malicious code. Also check for files and directories owned by rootthat are world-writable. These files may indicate a potential symbolic link attack or a recursivecopy/modify/re-copy directory attack. World writable directories (like /tmp) should have thesticky-bit set. (e.g. chmod 1777 /tmp) Check umask values. Most user umasks should be setto 022 at login.Cron and At JobsCheck permissions on cron and at job configuration file cron.allow, cron.deny, at.allow andat.deny files. They should be 644, root/sys. The cron.allow and at.allow files permit users touse crontab and at jobs. The cron.deny and at.deny files restrict these users from access. If.allow files do not exist, then the system checks the .deny files. Check to make sure that allcron and at jobs have valid users associated with them. Crontab files should be owned by thespecific user associated with them and have permissions of 600. Make sure that all cron or atjobs use absolute paths (full path names).Core DumpsCheck for core files. Many reside in the "/" directory, but others may be located elsewhere.Core files may contain sensitive system data and/or user passwords. Remove core files fromthe system via a regularly scheduled cron job. Configure the system so that when core filesare created, they automatically have a zero byte size.UNCLASSIFIEDUNCLASSIFIED

31Stray system filesRegularly search for stray system files like old versions of /etc/passwd and /etc/shadow thathave been inadvertently copied to temporary locations with insecure permission modes.Some entries in a stray shadow file may still contain valid user passwords that can becracked and used to gain entry to additional accounts or systems.Network ServicesNISNIS has the reputation of being extremely insecure and should only be used when absolutelynecessary. If the use of NIS is required, ensure NIS maps do not contain system accounts.Establish a securenets file tp specify the machines allowed to connect to the NIS server.NIS+, the successor to NIS, is a better alternative, but still can be exploited when improperlyconfigured.NIS +Check to see if NIS+ is running in NIS compatibility mode. If the "-YP" argument is used, theserver is in NIS emulation mode and is vulnerable to all NIS attacks. Permissions on NIS+tables should be reviewed after initial installation as NIS+ is far too lax when using the defaultinstallation settings. See the NSA publication Securing the NIS+ Namespace (C4-032R-99,18 June 1999) for specific details.NFSEnsure the NFS environment is not exporting sensitive file systems to the world (like /, /usr,or /etc). Ensure no critical file systems are shared to the world with read-write access.Ensure exported file systems are only shared with specific hosts, and not globally. Ensurefiles are not exported to "localhost". Ensure files are shared with the "nosuid" designator,unless set-user-id execution is required. Ensure that file systems exported with root accessare limited to only those systems that require it. This is set through the use of “anon=0” and“root=hostname” entries in the configuration file. Check all clients and servers to see whichfile systems are being mounted locally or remotely. Check automount directories forunauthorized automount maps. All maps should be protected with permissions 755 andowned by root/root.

DNSThe Domain Name System is the mechanism that Internet hosts use to determine the IPaddress that corresponds to a given hostname. Attackers often attempt zone transfers inorder to gather information about a local network. One way to prevent zone transfers is tofilter traffic from untrusted addresses to tcp port 53 on the DNS server. This can be done viafirewall or router access filters. Disable the BIND name daemon (named) on systems notauthorized to be DNS servers. On the servers, upgrade to the latest version of BIND and runit as a non-privileged user in a chrooted environment. Hide the version string using theversion option in named.conf.SendmailUpgrade to the latest version of Sendmail. Do not display the version number throughsendmail banners by modifying the “DZ” line in the sendmail.cf file and by changing theversion name in the source code before compilation. Ensure that the decode alias is notavailable. Decode should be removed or commented out of the /etc/aliases file so that it doesnot pipe to the 'uudecode' command and allow an attacker to overwrite system files. Checkfor non-standard entries in all users’ .forward files as this can open up the system to attacks.UNCLASSIFIEDUNCLASSIFIED

32Remove if not needed. Permissions on .forward files should be 640 and owned by the user.Run sendmail in queue mode as a root cron job on machines that are not mail servers orrelays. If the system is not a server or does not have to listen for incoming mail, rename thesendmail startup script, binaries, and configuration files and change their permissions to 000.LogsSystem logging is crucial for troubleshooting and tracking unauthorized user accesses.Ideally, logs should be kept locally as well remotely on a central loghost that does nothing butaccept and store log messages. Your network security policy should help dictate whichevents need to be audited. Logcheck and swatch are open source tools that systemadministrators can use to examine log files for unusual activity, based on key phrases orspecially set string patterns. They can also send email to the system administrators, alertingthem to possible unauthorized activity.X-Window EnvironmentsSince most servers do not require the use of windowing packages, remove the X Windowingenvironment on all servers to avoid introducing unnecessary vulnerabilities.

Distributed Server FunctionsIt is a good security practice to distribute the server functions of a network among separatesystems. For instance, the DNS server should be separate from the mail server, which shouldbe separate from the firewall, etc. A number of products include the software to run a webserver, mail server, DNS server and other server functions all from the firewall. However, thispresents a single point of failure for the network and therefore an avoidable vulnerability.Ideally, network servers should be set apart from the user segment in a secure DMZ orsecure server network. Most firewalls allow this. It can also easily be accomplished by usingrouters behind the firewall.Chroot Environmentschroot is a UNIX command used to run a command or interactive shell with a special rootdirectory. This command can also be used to create virtual file systems and directory trees.If possible, configure applications like DNS, sendmail, web and ftp servers to run in achrooted environment. In the event that the application is compromised, the hacker wouldthen be limited to a subset of the file system and would not have access to the real root filesystem.Interesting FilesCheck for files that have no permissions or have invalid owners or groups. Sometimesadministrators will have files that have no permissions assigned to them. These files aregenerally executed by a script, cron job, or other application that temporarily changes thepermissions during the execution of the program, then resets the program back to the originalstate. Look for stray copies of password or shadow files, files with names beginning with a“.”, and setuid root programs in world-writable directories and home directories.Peripheral DevicesConsider removing or restricting access to local or network peripheral devices. Maliciouscode can be introduced into secure networks through their peripheral devices. If an externaldevice is not required for a specific client or server, have it removed. If the device cannot beUNCLASSIFIEDUNCLASSIFIED

33removed, disable access to it via the hardware or software. Configure the systems so theycannot be booted into single-user mode via floppies or CD-ROM drives. Make sure floppydevices do not allow setuid programs on the floppy disk to execute as a privileged user.Buffer OverflowsEnsure that Solaris systems have a non-executable stack environment enabled. This willhelp prevent buffer overflows attacks from successfully executing code on the stack.Keeping the security patches up to date on all UNIX systems will eliminate many well-knownbuffer overflow attacks.System Utilities and CommandsRestrict access or remove system utilities such as compilers and debuggers, as well asutilities like traffic sniffers and security scanners, that can be used to compromise othersystems on the local network.Current OS PackagesEnsure that the system packages are current. Most, if not all, UNIX systems provide theability to check the status of system packages.RootkitsThere are several scripts for UNIX systems that will detect rootkits. Checking the integrity ofsystem files against a master backup known not to be altered by malicious code is also agood practice. The consistent use of tools like Tripwire ASR will report discrepancies foundin operating system software.

Security Tools

To ensure and maintain the integrity of the network servers, it is important to constantlymonitor them for signs of malicious activity. There are a number of tools that can aid anadministrator in this task. Two of these tools that are commonly implemented are TripwireASR and TCP Wrappers.

Tripwire ASRTripwire monitors the permissions and checksums of important system files to detect if theyhave been replaced or corrupted. When first installed, Tripwire ASR calculates a baseline setof checksums for the files to be monitored. A cron job can be configured to calculate thechecksums of the selected files and compare them against the saved baseline on a regularbasis. Tripwire ASR can be configured to send an alert to the administrator should any file’srecomputed checksum fail to match its baseline, indicating that the file has been altered.TCP WrappersTCP wrappers allows the administrator to log connections to TCP services -- primarily thoselaunched by the inet daemon. It also can restrict incoming connections to these servicesfrom systems via two files, hosts.allow and hosts.deny. Both of these features can be veryuseful when tracking or controlling unwanted network connection attempts.UNCLASSIFIEDUNCLASSIFIED

34UNIX Web ServersThis section describes security configuration for UNIX web servers, using Apache as theexample. It is assumed that Apache has been installed from the distribution and that none ofthe security parameters has been modified that come default in the original setup.

General Guidance

Ensure that the computer that runs the web server is dedicated. It should not haveother uses, e.g., being a client workstation or print server. Always upgrade to thelatest version of the web server available that is not the beta version.

Do not perform development work on the operational web server. All data should bein final form and simply copied into place. Create a secondary mirror of the server forall development services and experimentation. Transfer data to the web server bytape, disk, or CD. Do not use FTP or telnet for data transfer.

Remove all unnecessary services on the web server, including FTP, telnet, and XWindows. If that is not an option, make sure to run tcpwrappers on the openservices. Use a port scanner to check for open ports on both the TCP and UDPprotocols. If possible, use command line interfaces instead of X Windows. Using anX windowed interface opens up ports that cannot be effectively closed and still havethe system remain functional. Since the server should be in production mode only,only a command line is required to update the site. Testing of the site should bedone from a separate client.

Isolate the web server physically and virtually. If possible allow local access to theweb server to the fewest number of people with a minimal number of users. Keepthe web server close to the administrator, the web engineer, or the webmaster. Keepthe web server on a LAN segment separate from the rest of the IT infrastructure. Donot mount or share services to and from the server.

Example: Apache

As of 26 September 2001, Apache 1.3.20 is the latest version and is available athttp://httpd.apache.org

Ensure the user running the Apache web server is set tonobody. In thehttpd.conf

file in the/usr/local/apache/confdirectory, make sure that the effective user isnobodyand that the group option is also set tonobody. Below are the lines to add tothe file.User nobodyGroup nobody

Ensure that user nobody does not own or have write access to the htdocs or cgi-binsubdirectories or any other subdirectory under these. Below are the commands toset ownership of these directories to root and to restrict write access to only root.

Do not store cgi-bin related data in a directory accessible to the web server. Forexample, create another directory called cgi-data in /usr/local/apache alongside cgi-bin and htdocs. Have the cgi scripts use that directory for data storage andmanipulation.

Turn off AutoIndexing and Follow Symbolic Links. By default, Apache usually comeswith automatic indexing of directories enabled. Look in the httpd.conf file (usually inthe /usr/local/apache/conf directory) for the following line.<Directory "/usr/local/apache/htdocs">Within those set of options you will see an Options line that may look like thefollowing.Options Indexes FollowSymLinks MultiviewsThis configuration means any requests for a directory that do not find an index file willbuild an index of what is in the directory. Also, any symbolic link in the documentdirectory will also be followed even if it is outside of the web server's purview. Forexample, a symbolic link may be made to the root directory, giving at least readaccess to a great deal of the system as the owner of the web server process.For the most secure/functional Directory options, this segment of the httpd.conf fileshould look like the following.<Directory "/usr/local/apache/htdocs">Options MultiviewsAllowOverride NoneOrder allow,denyAllow from all</Directory>

Refer to the following URLs for further guidance:

http://httpd.apache.org/docs/misc/security_tips.html

http://www.linuxplanet.com/linuxplanet/tutorials/1527/1/

http://www.modperl.com/perl_conference/apache_security/

http://www.bignosebird.com/apache/a11.shtml

UNCLASSIFIEDUNCLASSIFIED

36Intrusion Detection Systems (IDS)This section of The 60 Minute Network Security Guidedeparts from the explicit detail ofprevious sections and provides a brief overview of Intrusion Detection Systems, describing ingeneral terms the steps to be taken when deploying IDS in your environment.Generally, there are two types of IDS: host based and network based. Host based IDSmonitor security within a network component, such as a server or a workstation. Networkbased ID systems monitor the traffic between network components and networks. Some IDSare strictly network based, whereas others are a combination of network and host based.Most IDS are comprised of two components, sensors and managers. Depending on the IDStype, sensors can be either network based or host based.The following are steps to be taken when deploying an IDS.Step 1 - Identify what needs to be protectedTo maximize the utilization of IDS, the organization must first determine in order of prioritywhat needs to be protected. For many organizations, the various servers, i.e., application,database, file and domain controllers, contain mission critical resources. Furthermore,depending on the organization, some departments may be more critical than others or mustenforce different trust relationships. All of this must be defined in a priority list prior todeploying any IDS.Step 2 - Determine what types of sensors are requiredThe types of sensors that are required are dependant on the priority list defined in Step 1. Ahost sensor would be used to monitor a critical server, whereas a network sensor would beused to monitor network entry points and critical network segments.Another important issue to consider is how many sensors the organization can afford to buy.This number will influence how the sensors are deployed throughout the network, as thenumber of critical resources must be balanced against how many sensors can be acquiredand maintained.Step 3 - Configure host system securelyPrior to loading any IDS, the host that the IDS will reside on must be configured securely.Often, the vendor of the IDS will supply its own host to run the IDS sensor, in which case, thevendor should supply guidelines on how to secure that host. Otherwise, the IDS typicallyreside on Unix and Microsoft Windows NT/2000 hosts. The guidelines for securing Unix andMicrosoft Windows NT/2000 systems are well documented elsewhere in this document.Step 4 - Keep signature database currentThe majority of IDS that are currently available for use are signature based. Because newvulnerabilities and attacks are being discovered daily, the signature database must be keptcurrent. The respective vendors should supply the latest signatures for their IDS.Step 5 - Deploy IDS sensorsThe final phase is to actually deploy the IDS. The following scenarios are based on howmany sensors are available for deployment versus what is deemed critical.UNCLASSIFIEDUNCLASSIFIED

37Scenario 1If the organization can only afford to purchase and monitor one sensor of any type, then itshould be a network sensor. As described earlier, a network sensor is much better suited tomonitoring large segments of a network, whereas a host sensor is limited to monitoring thesystem that it resides on. In this scenario, the ideal location to place the sole network sensoris in the DMZ, between the external router and the firewall, as shown in Figure 1. In spite ofhaving only one sensor, this design allows the IDS to be used for maximum effectiveness. Byplacing the IDS sensor between the external router and the firewall, the sensor can monitorall network traffic going to and coming from the Internet.Furthermore, because the router can filter all incoming traffic from the Internet, the IDSsensor can be tuned to ignore certain types of attacks, thereby allowing the sensor to operatewith maximum efficiency.Network basedID sensorIntranetDMZIDWebServerFigure 1 - Deploying 1 ID systemInternet

Scenario 2In the case where only two sensors of any type can be acquired and maintained, then theyshould be network sensors. Like the previous scenario, one of the sensors should be placedin the DMZ, between the external router and the firewall. The second sensor should then beplaced between firewall and the intranet, as shown in Figure 2. The second sensor canindicate what attack breached the firewall. By strategic placement of these two sensors, allaccess points from the Internet will be monitored.UNCLASSIFIEDUNCLASSIFIED

Scenario 3If more than two sensors of any type can be acquired and maintained, then at least twoshould be network sensors. Those sensors should be deployed as described in Scenario 2. Ifa critical LAN within the intranet needs to be protected, then a network sensor should beplaced at the entry point to that LAN. The remaining sensors should be host sensors that areloaded onto critical servers, such as domain controllers, file servers, web servers, and mailservers. The order of what is deemed critical is determined by the organization, as directed inStep 1.

Step 6 - Management and Configuration

The other component of IDS, the manager, should be centrally located where dedicatedsecurity staff can monitor the health of the systems and network. Many organizations have aNetwork Operations Centers (NOC) that fulfills the role of a central location to place themanager. IDS sensors could then report all alerts to the NOC, thereby allowing the securitystaff to respond quickly to attacks and to notify the appropriate authorities, such as CERTtechnicians.The other issue to consider is how to configure the sensors. Careful configuration of thesensors can increase the effectiveness of IDS and all unnecessary signatures should bedisabled. For example, if the network is entirely composed of Microsoft Windows NT systems,then the sensors can be configured to ignore any attacks that are directed against Unixsystems. Therefore, if the organization has a priority list as defined in Step 1, as well asknowing the network intimately, it can benefit greatly from having a properly configured IDS.